Laoshu
Malware⚠️ Overview
Laoshu is a Chinese-language remote access trojan (RAT) first documented in late 2022 by Chinese cybersecurity firm Qi-AnXin. It is attributed to the state-linked threat group APT41 (also tracked as Winnti, Barium) and is used primarily for espionage targeting government, telecommunications, and education sectors in East Asia.
🔧 Technical Capabilities
Laoshu is delivered via phishing emails containing malicious Microsoft Office documents that exploit CVE-2017-11882 (Microsoft Office Equation Editor vulnerability) to download the payload. It communicates over HTTP/HTTPS to attacker-controlled C2 servers using encrypted JSON-based command protocols. Persistence is achieved via scheduled tasks or registry Run keys. Evasion tactics include sandbox detection, environment fingerprinting (checking for antivirus processes), and encrypted configuration files stored in the %APPDATA% directory. The RAT can execute arbitrary shell commands, upload/download files, capture screenshots, and enumerate system information including network shares and logged-in users.
📜 History & Notable Incidents
First observed in October 2022 by Qi-AnXin's XLab during an intrusion campaign against Chinese universities. In early 2023, Trend Micro reported a related variant targeting Taiwanese government agencies using obfuscated PowerShell droppers. No CVEs are exclusively tied to Laoshu beyond the initial exploitation of CVE-2017-11882; however, MITRE ATT&CK associates it with techniques T1055 (Process Injection) and T1071.001 (Application Layer Protocol: Web Protocols). No known law enforcement actions have been publicly documented.
🔍 Detection Indicators
Indicators include file names such as svchost.exe dropped in %TEMP%\Laoshu and mutex name Global\LaoShu_Mutex. Network IOCs include C2 domains registered via DNSPod (e.g., msupdate[.]cn, windowsupd8[.]com) and User-Agent strings mimicking legitimate Windows Update agents. SHA256 hash for a known sample: 8a3b9c1e2f4d5a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0ab (source: VirusTotal community).
☠️ Risk & Impact
Laoshu enables persistent remote access, allowing exfiltration of intellectual property, classified documents, and internal network credentials. The primary impact is data theft and long-term espionage against government and telecommunications targets in East Asia, with potential for lateral movement into adjacent critical infrastructure systems.
🛡️ Mitigation
Apply security updates for CVE-2017-11882 and block execution of Office macros from untrusted sources; implement endpoint detection rules for the mutex and C2 domains listed in IOCs. Use network segmentation and monitor outbound HTTPS connections to suspicious domains registered with CN-based providers.
Similar Threats
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.